10000 bug #36678 [WebProfiler] Do not add src-elem CSP directives if they d… · symfony/symfony@cf0d086 · GitHub
[go: up one dir, main page]

Skip to content

Commit cf0d086

Browse files
bug #36678 [WebProfiler] Do not add src-elem CSP directives if they do not exist (ndench)
This PR was merged into the 3.4 branch. Discussion ---------- [WebProfiler] Do not add src-elem CSP directives if they do not exist | Q | A | ------------- | --- | Branch? | 3.4, 4.4, 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36643 | License | MIT | Doc PR | n/a In the latest 3.4.*, 4.4.* and 5.0.* branches the `script-src-elem` and `style-src-elem` directives are added to the Content-Security-Policy header if they don't exist by copying the `default-src`. This causes browsers to ignore the `script-src` and `style-src` directives which likely contain scripts and styles the developer wanted to allow. As mentioned in the fixed ticket, we shouldn't be adding these directives if they don't exist because the browser will automatically fallback to `script-src` and `style-src` which we have already added `unsafe-inlen` and the `nonce-*` to. This will need to be merged into 3.4, 4.4 and 5.0, but I was unsure which branch I am meant to base it off to start with. I've put it on 4.4 but can move it to another if required. Commits ------- d9c4708 [WebProfiler] Do not add src-elem CSP directives if they do not exist
2 parents 78a7f46 + d9c4708 commit cf0d086

File tree

2 files changed

+22
-8
lines changed

2 files changed

+22
-8
lines changed

src/Symfony/Bundle/WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -133,12 +133,11 @@ private function updateCspHeaders(Response $response, array $nonces = [])
133133
continue;
134134
}
135135
if (!isset($headers[$header][$type])) {
136-
if (isset($headers[$header]['default-src'])) {
137-
$headers[$header][$type] = $headers[$header]['default-src'];
138-
} else {
139-
// If there is no script-src/style-src and no default-src, no additional rules required.
136+
if (null === $fallback = $this->getDirectiveFallback($directives, $type)) {
140137
continue;
141138
}
139+
140+
$headers[$header][$type] = $fallback;
142141
}
143142
$ruleIsSet = true;
144143
if (!\in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
@@ -218,9 +217,7 @@ private function authorizesInline(array $directivesSet, $type)
218217
{
219218
if (isset($directivesSet[$type])) {
220219
$directives = $directivesSet[$type];
221-
} elseif (isset($directivesSet['default-src'])) {
222-
$directives = $directivesSet['default-src'];
223-
} else {
220+
} elseif (null === $directives = $this->getDirectiveFallback($directivesSet, $type)) {
224221
return false;
225222
}
226223

@@ -244,6 +241,16 @@ private function hasHashOrNonce(array $directives)
244241
return false;
245242
}
246243

244+
private function getDirectiveFallback(array $directiveSet, $type)
245+
{
246+
if (\in_array($type, ['script-src-elem', 'style-src-elem'], true) || !isset($directiveSet['default-src'])) {
247+
// Let the browser fallback on it's own
248+
return null;
249+
}
250+
251+
return $directiveSet['default-src'];
252+
}
253+
247254
/**
248255
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
249256
* a response.

src/Symfony/Bundle/WebProfilerBundle/Tests/Csp/ContentSecurityPolicyHandlerTest.php

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,14 @@ public function provideRequestAndResponsesForOnKernelResponse()
131131
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
132132
$this->createRequest(),
133133
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'']),
134-
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src-elem \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
134+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; style-src \'self\' domain-report-only.com \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135+
],
136+
[
137+
$nonce,
138+
['csp_script_nonce' => $nonce, 'csp_style_nonce' => $nonce],
139+
$this->createRequest(),
140+
$this->createResponse(['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\'']),
141+
['Content-Security-Policy' => 'default-src \'self\' domain.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'Content-Security-Policy-Report-Only' => 'default-src \'self\' domain-report-only.com; script-src \'self\' \'unsafe-inline\'; script-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'; style-src \'self\' \'unsafe-inline\'; style-src-elem \'self\' \'unsafe-inline\' \'nonce-'.$nonce.'\'', 'X-Content-Security-Policy' => null],
135142
],
136143
[
137144
$nonce,

0 commit comments

Comments
 (0)
0